Chrome 57 permanently enables DRM

The next stable version of Chrome (Chrome 57) will not allow users to disable the Widevine DRM plugin anymore, therefore making it an always-on, permanent feature of Chrome. The new version of Chrome will also eliminate the “chrome://plugins” internal URL, which means if you want to disable Flash, you’ll have to do it from the Settings page.

How EME Brought Mandatory DRM On The Web

EME (Encrypted Media Extensions) is an HTML specification which allows DRM plugins to encrypt web content. The specification was proposed by Netflix, as well as by Google and Microsoft.

The main positive feature of EME was supposed to be that internet users will be able to see more Hollywood content without any plugins, such as Silverlight or Flash, on the web. At the time, Netflix was using a Silverlight player to stream its shows and movies in browsers.

The idea sounded appealing, especially considering Silverlight was getting deprecated by Microsoft, and Flash was known even then for its security issues. In time, most browsers also announced that they would deprecate Flash in favor of HTML alternatives.

However, this was mainly an issue for Netflix, which had to rewrite its web player with HTML. The company also ended up creating native applications anyway, making the web version almost unnecessary. (Although there is a convenience factor to the web version as well, especially for people who are used to do everything in the browser these days.)

Perhaps EME’s biggest flaw is ultimately that it didn’t fulfill its main promise to get rid of plugins. Not only does EME require a DRM plugin for protected content, but it requires one for each browser, for whichever platform you may be using. Microsoft’s Edge browser uses the company’s own Windows 10 native DRM, while Chrome and Firefox use Google’s Widevine DRM. Firefox also uses Adobe’s “Primetime” DRM plugin.

Therefore, even a single browser may now require two different DRM plugins to play all DRM content. These plugins have their own security issues, but unlike with the Flash vulnerabilities, security researchers are banned from looking for them, due to Section 1201 of the Digital Millennium Copyright Act (DMCA). That means malicious hackers, who already engage in other criminal activities, may freely take advantage of all the vulnerabilities they find in these DRM plugins before companies discover them on their own.

Beyond the plugin issue, there may also be an oligopoly issue, because the content market will depend on four, and perhaps soon only three, major DRM services players: Google, Microsoft, and Apple. All of these companies have their own operating systems, so there is also less incentive for them to support other platforms in their DRM solutions.

What that means in practice is that if you choose to use a certain Linux distribution or some completely new operating system, you may not be able to play protected content, unless Google, Microsoft, or Apple decide to make their DRM work on that platform, too.

Chrome DRM, Now Always-On

According to a Chromium issue, the next version of Chrome will not allow users to disable DRM in their browsers anymore. Right now, if users don’t want to ever play Widevine-protected content, they can go to the chrome://plugins address and disable the DRM plugin there.

That doesn’t mean they can play the same videos without DRM protection, but according to some on the Chromium issue page, it saves them from having to deal with a bunch of Widevine DRM bugs that causes their Chrome browser to crash often.

It also allows the users to send content distributors a message that DRM is not accepted. If enough people do it, then it may stop or at least slow down the spread of DRM-locked content on the web. Alternatively, if DRM is enabled and can’t be switched-off in all browsers, more and more developers may start to “take advantage” of it, just like they would any new other HTML specification, and lock-down increasingly more content.

PDF Reader, Native Client Can’t Be Disabled Either

So far only the Flash plugin can be disabled in the Chrome Settings page, but there is no setting to disable the Widevine DRM plugin, nor the PDF viewer and the Native Client plugins. PDF readers, including the ones that are built into browsers, are major targets for malicious hackers. PDF is a “powerful” file format that’s used by many, and it allows hackers to do all sorts of things given the right vulnerability.

People who prefer to open their PDF files in a better sandboxed environment or with a more secure PDF reader, rather than in Chrome, will not be able to do that anymore. All PDF files will always open in Chrome’s PDF viewer, starting with Chrome 57.

Chrome’s New Restrictions Firefox’s Opportunity?

Firefox has its own series of security issues. However, as the team behind it works to significantly improve its security and performance this year, and as Chrome keeps using its large market share to enable user restrictions, Firefox may start to be used more by technology enthusiasts and their friends.